Threat based approach to Logging & Monitoring

In today’s Information Risk Management Frameworks continuous security Logging & Monitoring plays a critical role. These days nearly all critical business processes are supported by Information Technology (IT) and with that the dependency on system and services being properly managed and controlled has become mission critical.

Information Risk Management and with it the topic of Cyber Security has achieved mainstream recognition as a significant global economic risk. Even the 2013 World Economic Forum (WEF) listed Cyber attacks as a main risk / concern with a growing likelihood and large possible impact.


Every major industry standard (e.g. ISO or NIST) has a definition for logging & monitoring. Security logging and monitoring is a process which an organization must follow on a continuous basis. They need to capture, analyze and examine application and infrastructure logs, system events and status information in an automated and near real time fashion. It is the goal to detect and discover early indications for potential or actual unauthorized security related activities. The process must ensure that the collected log information can be utilized as evidence in case of legal or regulatory breaches and the utilized material must provide an effective and tamper proof audit trail.

Given the complexity and scale of today’s IT environments it becomes clear that the one fits all approach from the past can’t be utilized anymore. Information Technology has come a long way from providing IT services only in-house, towards outsourced services and nowadays industrialized cloud based IT services. With these changes the requirements for security logging & monitoring have changed dramatically.

A risk based security logging & monitoring approach is based on a clear differentiation between areas where preventive controls are in place already and where detection and aggregation of log information can deliver real added value. Such an approach does not require all infrastructure components, systems, applications, or services (cloud or in-house) to be monitored at all times and at every location. Based on the criticality of the systems for IT and the Business paired with the regulatory and policy requirements you determine which systems have to be included and which information will be monitored.

From your Compliance Monitoring (CM) efforts you know already how the system benchmark looks like against the documented and agreed baseline (e.g. standard build). From your Vulnerability Management (VM) service you have visibility into the actual health status of your assets. Based on that, your local system L&M coverage may only include privilege escalations, permission changes, kernel modifications and application changes focusing on highly privileged users and IT administrative accounts.

The way to go is to develop a ‘threat model’ that will guide you in determining what “Scenarios” you want to identify, and therefore what logs from what systems you require to identify those scenarios. Starting with the high level scenarios, you can easily see how it trickles down into some lower level technical scenarios, which then become your SIEM rules.

High level IT scenarios may include topics like this:

  • Malware compromises a VIP workstation and steals credentials
  • Malware compromises non-VIP workstation but uses it as an intermediate point to other targets
  • System administrator (SA) plants a logic bomb on multiple servers
  • Trader uses another person’s account or a generic application account to perform fraud

Using industrialized cloud services does not release you from running a continuous L&M approach. It is the responsibility of the cloud service provider to monitor it’s own logs but you have to make sure that you fully understand the cloud providers policies, procedures and incident alerting criteria. Your risk management monitoring & reporting will depend on information provided by the cloud provider. Aspects you may still want to monitor are for example interfaces between the cloud provider and your environment on both infrastructure and application level. Credentials used within the cloud are most probably the ones you use internally as well and you want to watch out for any kind of abuse and privilege escalation around them. Ideally the cloud provider would actually make some application-level logs available for you to monitor your own data / service usage.

A risk based L&M approach requires governance, structure, processes and automation. A list of top down building blocks / requirements for a risk based logging & monitoring approach could look like this:


  • Security Policy requiring ongoing L&M
  • Compliance mandates (e.g. SOX, PCI)

Risk Management

  • L&M Core Control (What)
  • L&M Procedural Controls (How)


  • Architectural L&M design for build and / or buy
  • Data retention policy
  • Configuration Management / System Development Lifecycle
  • Asset Management / Inventory Management

IT Operations

  • L&M Standard IT
  • Segregation of Duties (IT & Security but also Development & Testing)
  • Threat & Malware Detection / Management
  • Vulnerability Assessment & Management
  • Compliance Monitoring

Security Operations

  • L&M Standard Security
  • Risk based L&M Approach
  • Incident Response Procedures
  • SOC operational procedures & processes

Some indicators for you to assess if your current logging & monitoring approach is still fit for its initially intended purpose are:

  • Do you have a well documented L&M approach with clear processes & procedures for data review/analysis and escalation/incident response?
  • Are you using cloud services and have not adjusted your L&M approach?
  • Your current L&M solution becomes more and more expensive and the capacity & cost requirements are going through the roof (cost effectiveness)
  • IT delivers both IT and Security operations at the same time (segregation of duties)
  • Your current L&M approach focuses on compliance only and does not deliver actual / perceived value
  • A big portion of your approach relies on manual tasks and is not near real time
  • Your L&M approach focus on infrastructure only leaving applications fully out of scope

Feel free to reach out to me if you want to discuss the shown concept.


, , , , , , , , , , ,

  1. #1 by SutoCom on January 15, 2014 - 11:38 am

  2. #2 by safety systems on January 22, 2014 - 2:13 pm

    Hi there very nice blog!! Man .. Beautiful .. Wonderful ..
    I’ll bookmark your web site and take thee ferds additionally?
    I amm glad to fknd so many helpful info here within the submit, we want develop more strategies iin this regard, thankis foor sharing.
    . . . . .

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Get every new post delivered to your Inbox.

%d bloggers like this: